CANCUN, MEXICO – A prominent privacy activist says that leading software vendors, and the U.S. government are failing the public when it comes to Internet privacy, and that big changes are needed to prevent consumers from criminals, advertisers and government spies.

Christopher Soghoian, a Washington, DC based Graduate Fellow at the Center for Applied Cybersecurity Research, told attendees at Kaspersky’s Security Analyst Summit (SAS) that major technology vendors, including Google, Microsoft and Facebook, have promoted a culture of insecurity to support advertising-based business models that rely on Internet users surrendering information about their movements online and preferences.

Soghoian, who has blogged about privacy issues and revealed security holes in services like Dropbox, said that leading technology firms have studiously avoided making their products protect user privacy by default, and have under invested in features that would make it easy for users to opt-in to better privacy.

“These firms are leaving users vulnerable and they’re not informing them about the threat,” Soghoian said. “The result is that if they get hacked, they’re not going to know it.”

The situation is the result of a market in which software firms give away sophisticated applications in exchange for user data, but where the terms of that exchange are often hidden from the consumers who are surrendering their data.
“We all use software provided to us by companies,” Soghoian said. “But in the last few years we’ve switched from a market in which consumers mostly bought software to one in which the software they use is given to them for free.” However, software firms aren’t charities.

“Browsers are not cheap to make. So you have to ask why the companies are offering these products for free.” The short answer is “to get user data.”
“They give us their software because they want our data.”

Soghoian said that most popular browsers and Web based applications “spew private data” about their owners movements in preferences. That data is then vacuumed up by advertising firms – many of them divisions of the same software companies that make the browser software and used to serve targeted advertising.

Browser history data, headings and – increasingly – the plethora of user-submitted data from social networks all combine to create detailed dossiers on consumers, he said.
Users struggle to understand the consequences of loose security configurations, while the software companies often put access or usability barriers in the way to make sure more secure configurations are not adopted, he said.

Cookie management interfaces that are critical to prevent Web sites from tracking user activity are difficult to access and are rarely – if ever – updated to make them more usable, he said.

“These companies have default settings that are not private and not secure, because they know consumers will never change these defaults.”

The fixes for the privacy problem aren’t simple.

Soghoian advocates moving away from the free software model to one in which users pay a small fee to use the software that is free of tracking features. Today, those choices don’t exist.

“Consumers don’t have a choice. You have one version of Chrome and one version only,” he said. The popular online music streaming system Spotify, he notes, requires a Facebook login to use. “That’s no coincidence. Social interaction drives use.”

Moving the market may be difficult, the government can help promote secure behavior: treating data privacy as a public health crisis and using its reach and huge online presence to promote best practices, such as updated browser platforms and secure configurations.

Categories: Data Breaches, Government, Microsoft, Vulnerabilities, Web Security

Comments (8)

  1. Anonymous
    3

    It’s not just Uncle Sugar falling down on the job.  It’s the places like Google Marketplace, the review sites, and the users themselves.  I went to Google Marketplace and, at random, chose an app that shouldn’t need anything in the way of permissions:

    Jewels Deluxe by Candy Mobile

    I checked the permissions and what do I see?

    “read phone state and identity

    Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.”
     
    No game needs such access.
     
    There’s also full internet access.  But, I guess a case can be made for that for game updates.
     
    It’s right there in black and white.  Yet, Google allows it, the review sites don’t mention it, and no one notices.  Heck, the darn thing has 11,655 downloads.
  2. Anonymous
    4

    This prominent privacy activist is correct.  I might also add that the much hyped “Cloud” is a very big privacy risk.  Both Microsoft and Google are moving or already in the cloud.  If you use these cloud services, your user data is stored on their servers where no privacy cleaner can wipe your cookies and user tracks.  You can’t just email Google and ask them to do it for you.  They have it forever. 

  3. Anonymous
    5

    Are you crazy? Chrome is not only free but open source most importantly.

    Only open source product can garantee you want you want.

    Review the source and compile it yourself. End of story.

     

  4. Anonymous
    6

    Don’t touch Chrome.
    Use Iron – it’s the same source code, without all the Google Phone Home.

  5. Anonymous
    7

    Sure if it is not on shtml it is not secure period but… who and I mean which person is looking at your specific data that is alot of stuff to go through just find out you are a person with an active cell phone with a state that shows your number.

    I think this is mostly an over reaction although it would be nice if everythign were private I gave up on that concept years ago internet or no peopel are watching and leaning abotu you and targeting you with products it called marketing. I go to a restaurant and the waitress trys pretty dang hard to sell sell sell variuos tactics(attentiveness, guilt, leavign me be, acknoledging my preferences). It is a tough world out there and everyone needs a buck or two to survive.

  6. Paul Roberts
    8

    Great point. The WSJ found similar “overreach” when studying popular apps for iPhone. – Paul

Comments are closed.